Liquid Templates in Puppet - Initial Release

Puppet has always supported templating via
ERB
and while it’s a powerful, flexible templating engine the ability to use
any arbitrary ruby code inside a template that’s run on the
puppet master sometimes raises some eyebrows. As part of a security
architecture review the concept of replacing the templating engine with
something that still allows looping and text manipulation without
allowing too much else was discussed and led to the idea of allowing
templates to be written in Liquid.

Liquid is a ‘Ruby library for rendering safe templates which cannot affect
the security of the server they are rendered on.’ That sounds like what we
want so let’s install the module and write a small test template

There is additional overhead in writing your templates in a language
that’s not puppets default but for situations where you have a number of
different people writing your templates, changing to something like
Liquid can provide another layer of protection for your puppetmasters. This
is an initial proof of concept and while it’s enough to keep our
conversation going you may not want to move everything to it just yet.